MX Alternatives

Adam
Kind of a big deal

MX Alternatives

Serious question.  I'm probably one of the largest Meraki fanboys here.  But one thing that drives me crazy is the MX limitations on internet bandwidth.  With larger pipes being available for much cheaper these days it is hard to swallow having to buy an MX84 or MX100 to get > 200M.  What's your guys thoughts on this?

 

Has anyone ever reviewed any products like this? https://www.ubnt.com/edgemax/edgerouter-x/

 

I'm just trying to think of solutions for smaller sites 10-15 users where fast bandwidth is available.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
12 Replies 12
PhilipDAth
Kind of a big deal
Kind of a big deal

An MX64/MX65 will do 250Mb/s.

 

I do feel your pain though.  We have a Gigabit fibre in our office - plugged into an MX64.  I couldn't talk myself into getting an MX84 (maybe next time), and an MX100 is to expensive for the size of our company.

 

If you want a contrast, in Cisco Enterprise world you would need a Cisco 4451.  And that starts at about usd$15k, but often ends up a lot more due to licences - and you don't end up with anything as comprehensive as Meraki provides (in a single box solution).

LV_MW_MSP
Getting noticed

Best I have seen for price/performance with security enabled is Fortigate by Fortinet.. check them out, they score very high next to Palo Alto on threat detection.

Out of the box they do SSL decryption by doing MITM -- I lost a bitcoin company who went with Fortinet because of price and performance. They needed a 1Gbps connection, and 100% require everyone to VPN to access all resources. The Meraki was way more expensive and slower.
Owen
Getting noticed

I bought an edgerouter-x two weeks ago to replace and MX64. It will outperform the MX for routing and routing feature set (including IPv6) but you won't be able to any content filtering or IPS with it. I had to enable dynamic DNS on it with OpenDNS and use that instead for content.

Adam
Kind of a big deal

Would be nice if there were a way to use the EdgeRouter-X to get the benefits of internet speed but still use the MX64 for everything else.  I can't think of a way to do this though without losing the IDS/IPS from the MX.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Owen
Getting noticed

Transparent MX between edgerouter and internal switch as a content filter. You can't do VLAN's though when in transparent between the router and switch.

Adam
Kind of a big deal


@Owen wrote:

Transparent MX between edgerouter and internal switch as a content filter. You can't do VLAN's though when in transparent between the router and switch.


Interesting idea.  I wouldn't need the VLANs since I could do those on the core switch.  Have you tried something like this?  Does it circumvent the bandwidth restriction of the MX?  Would it still allow me to use the MX for IDS/IPS and Content Filtering? What are your thoughts as well @PhilipDAth

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
PhilipDAth
Kind of a big deal
Kind of a big deal

It doesn't circumvent the bandwidth restrictions.  You can still do IPS and contenting filtering.

 

Note that if you do routing on a down stream with a switch you loose the ability to use group policies, since they are applied based on MAC address - and you wont be able to see the MAC address of the client anymore if a down stream switch is doing the VLAN routing.

Uberseehandel
Kind of a big deal


@Adam wrote:

. . . . . one thing that drives me crazy is the MX limitation on internet bandwidth.  With larger pipes being available for much cheaper these days it is hard to swallow having to buy an MX84 or MX100 to get > 200M.  What's your guys thoughts on this?

 

Has anyone ever reviewed any products like this? https://www.ubnt.com/edgemax/edgerouter-x/

 

I'm just trying to think of solutions for smaller sites 10-15 users where fast bandwidth is available.  


I have some experience with UBNT product, our small network, which gets complicated and Meraki cannot provide the services required is split into two

 

Meraki - secure network using MX, MS & MR serving workstations, laptops and authorised mobile devices.

UBNT - UniFi - handles multicast, Chromecast, Guest network, IoT devices, smart TVs/monitors, video playout, audio processing etc.

 

The UniFi network has a CloudKey that is accessible remotely which provides a single pane style dashboard to run that side of the network. We still have to delve into the CLI and use a "fiddly" procedure to ensure the configuration is not lost on rebooting or upgrade.

 

The EdgeMax range is more traditional and CLI based (EdgeOS is a fork of Vyatta), but that is changing with a new dashboard style management tool being available in beta.

 

UBNT has released a EdgeMax router capable of 80 million Gbps / 18 million pps which is also in beta release as a UniFi product. If this is overkill, there are lesser routers/gateways available with varying levels of throughput, dependent upon activation of DPI and IDS, IPv6 is a work in progress.

 

By splitting the network I an less concerned by crap on the portion designed to serve all the dodgy kit, I only need to worry about what is behind the MX.

 

The MX uplinks to a LAN port that goes straight out the WAN port. It works, as does connecting devices on the naughty step to secure devices using HDMI cables to continue meeting our analytic workstation requirements seamlessly.

 

The issue of WAN speed is overdue for addressing by Meraki. 1Gb/1Gb FTTP is available locally for £50 per month (but not in our exact location). By way of comparison, if I take the Internet access cost out of the telco provided package, 80Mb/20Mb costs £45 per month. Everybody will take the FTTP package (probably at 200-300Mbps) as soon as available. 

 

The reality is, what security appliances, routers will handle this sort of speed? Certainly not the small MXs.

 

If we add in the lack of proper native IPv6 support (no tunnelling, no performance deg), the lack of multicast capability, SHA-1 issues, one could say that the MX range is long overdue for a complete overhaul.

 

If the MX is being replaced, to address these and other shortcomings, I would ask them to also consider moving to a Zonal security model, much more intuitive, one of the things I like about the SRX-300 from the Gin Palace (alas no proper multicast).

 

One of the problems with splitting/duplicating the network is a noticable increase in electricity consumption. To say nothing of larger rack space requirements, and some additional thought requied when changing anything.

 

Life would be simpler with an MX designed for today's requirements.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
MRCUR
Kind of a big deal

@Uberseehandel FYI - the UniFi model of the EdgeRouter Infinity is available now: http://www.doubleradius.com/Manufacturers/New-Ubiquiti/ubiquiti-unifi-8-xg-gateway-router.html

 

It's a bit pricier than I expected. 

MRCUR | CMNO #12
Uberseehandel
Kind of a big deal


@MRCUR wrote:

 

It's a bit pricier than I expected. 


At that price it is time to check out the alternatives. It would be so nice if the MXX range sorted out the MX's feature shortcomings. And the Z3 needs to handle multicast and IPv6 properly, it is supposed to be for telecommuters. 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
dpf
Here to help

openbgp on supermicro pizza box
IgorPodgorny
Getting noticed

We had Meraki for 3 years and switched to FortiNet, and we still have home offices on Meraki.

There is a learning curve as those things are 10x more capable and feature rich, but also more complex. They do have cloud mnagement as well, but if a device comes with gig ports, it's pushing  gig. I've been pushing ~300  clients through 2x 1gig uplinks with a FortiGate 60F (~$1000) without any problems.

Get notified when there are additional replies to this discussion.